docker-salt-master/.github/workflows/security-analysis.yml

name: Security analysis

on:
  push:
    branches:
      - main
  pull_request:
  schedule:
    - cron: '0 0 * * 1'

jobs:
  security-analysis:
    name: Trivy scan
    runs-on: ubuntu-latest
    env:
      CACHE_PATH: ${{ github.workspace }}/.buildx-cache

    steps:
      - name: Checkout repository
        if: github.event_name != 'schedule'
        uses: actions/checkout@v4

      - name: Set up QEMU
        if: github.event_name != 'schedule'
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        if: github.event_name != 'schedule'
        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
        if: github.event_name != 'schedule'
        uses: actions/cache@v3
        with:
          path: ${{ env.CACHE_PATH }}
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Build docker-salt-master image
        if: github.event_name != 'schedule'
        uses: docker/build-push-action@v5.0.0
        with:
          context: .
          file: ./Dockerfile
          cache-from: |
            type=local,src=${{ env.CACHE_PATH }}
            ghcr.io/cdalvaro/docker-salt-master:latest
          cache-to: type=local,dest=${{ env.CACHE_PATH }}
          pull: true
          load: true
          tags: ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}

      - name: Download and tag latest image
        if: github.event_name == 'schedule'
        run: |
          docker pull ghcr.io/cdalvaro/docker-salt-master:latest
          docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'